a cosmological pedestrian

jailbash

chroot for users suck!

It is work to maintain them and all in all you have to do a lot of nasty hacks to get it going! In the meantime AppArmor is in the mainline kernel. It is pretty simple to write rules for it and you can easily update it with tools like ‘logprof’.

Here is a small howto to trap users in their home directory with a simple AppArmor profile. First you need to compile the following C code:

This allows the user to execute the most basic commands he needs and allows ssh, sftp and git access. The user has access to some binaires and and can read directories he need for a working shell, like /usr/lib. The owner flag allows him only to write in his own home directory and browse only his home directory.

The next step is to create a new user and use /bin/jailbash as the bash. You can update the profile using logprof or manually if you watch /var/log/audit/audit.log.